Installation Guide: Amazon ECS - mongodb/mlab-data-api GitHub Wiki

Contents

This page contains instructions for deploying the mLab Data API to Amazon Elastic Container Service (ECS) and maintaining the configuration of the deployment after it is running.

• Prerequisites
• Deploying to Amazon ECS
  • 1. Login to ECS and click "Get Started"
  • 2. Configure custom container
  • 3. Configure task
  • 4. Configure service
  • 5. Configure cluster
  • 6. Build
  • 7. Find your service's DNS name
  • 8. Enable SSL
• Modifying Running Configuration

Prerequisites

1. Sign up for AWS

• If you do not already have an AWS account, you can sign up for one here: https://portal.aws.amazon.com/billing/signup

2. Create an IAM user

• You will need an AWS Identity and Access Management (IAM) user with the AdministratorAccess policy. If you do not already have such a user, you can follow the instructions to create one here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-an-iam-user

Deploying to Amazon ECS

1. Login to ECS and click "Get Started"

• Login to the Amazon ECS console
• Make sure your ECS console is in the same region as your MongoDB deployment(s)
• Click the blue "Get Started" button (Fig. 1)
  • If you end up on the "Clusters" page, click the grey "Get Started" button (NOT the blue "Create Cluster" button)

Figure 1: (go back ⬆️)

2. Configure custom container

• Click the "Configure" button in the "custom" container definition (Fig. 2)
• Fill out the following container fields (Fig. 3):
  • Container name: mlab-data-api
  • Image: quay.io/mongodb/mlab-data-api
  • Port mappings: 8080 | tcp
• Expand the “Advanced” settings and fill out the environment variables (Fig. 4):
  • MLAB_DATA_API_KEY: Secret API key for authenticating all requests
  • MLAB_DATA_API_CONFIG: Raw JSON config (see Configuration for more info)
    • Configure the port as 8080
• Click the blue "Update" button

Figure 2: (go back ⬆️)

Figure 3: (go back ⬆️)

Figure 4: (go back ⬆️)

3. Configure task

• Click the "Edit" button in the "Task Definition" section
• Set the "Task definition name" to "mlab-data-api" (Fig. 5)
• Click the blue "Save" button
• Click the blue "Next" button

Figure 5: (go back ⬆️)

4. Configure service

• For "Load balancer type" choose "Application Load Balancer" (Fig. 6)
• Click the blue "Next" button

Figure 6: (go back ⬆️)

5. Configure cluster

• Set "Cluster name" to "mlab-data-api" (Fig. 7)
• Click the blue "Next" button

Figure 7: (go back ⬆️)

6. Build

• If everything looks good, click the blue "Create" button
• Wait for service to finish provisioning
• Click "View service"

7. Find your service's DNS name

• To make requests to the API, you’ll need the DNS address for the gateway. To find it, first click on the “Target Group Name” under “Load Balancing” in the “Details” tab of the service, which will take you to the group. (Fig. 8)
• Click on the "Load balancer" ID in the "Basic Configuration" section to go to the load balancer configuration. (Fig. 9)
• Copy the "DNS name" from the "Basic Configuration" section and use that as the base URL for your API requests. (Fig. 10)
  • Consider creating a more useful DNS entry that maps to the above DNS name for convenience.

Figure 8: (go back ⬆️)

Figure 9: (go back ⬆️)

Figure 10: (go back ⬆️)

8. Enable SSL

The default load balancer that the above process creates for you is using plain HTTP on port 8080. If you want to enable SSL (HTTPS) for a more secure connection, follow these instructions:

• Navigate to your load balancer as described in the previous step
• On the "Listeners" tab, click the "Add listener" button (Fig. 11)
• Fill out the form: (Fig. 12)
  • In the Protocol : port section, set the Protocol to "HTTPS" and the port to "443"
  • In the "Default action(s)" section, click "Add action"
    • Choose "Forward to..."
    • In the “Target group:” field, select the target group for the mlab-data-api service
    • Click on the blue check icon to save.
  • Choose your security policy
    • If you are unsure which policy to use, Amazon recommends using ELBSecurityPolicy-2016-08
  • Choose your SSL certificate, optionally creating a new one if needed
  • Click the "Save" button
• Click the yellow triangle next to the newly created listener (Fig. 13)
• Click the link to the security group in the tooltip that appears
• Click on the security group (Fig. 14)
• Edit the inbound rules and change the type to HTTPS and allow traffic from "Anywhere" (or something more restrictive if desired) (Fig. 15)
• Click "Save rules"
• Remove the existing HTTP:8080 listener from the load balancer

Figure 11: (go back ⬆️)

Figure 12: (go back ⬆️)

Figure 13: (go back ⬆️)

Figure 14: (go back ⬆️)

Figure 15: (go back ⬆️)

Modifying Running Configuration

Follow these steps to change the API key (MLAB_DATA_API_KEY) or configuration (MLAB_DATA_API_CONFIG) of your running mLab Data API ECS deployment

1. Create new task revision

• Click on "Task Definitions" in the left nav
• Select the checkbox next to the "mlab-data-api" task (Fig. 16)
• Click "Create new revision"

Figure 16: (go back ⬆️)

2. Modify container configuration

• Scroll down to "Container Definitions" section
• Click on the "mlab-data-api" container (Fig. 17)
• Scroll down to the "Environment variables" section
• Modify the MLAB_DATA_API_KEY and MLAB_DATA_API_CONFIG variables as needed (Fig. 18)
• Click the blue "Update" button
• Click the blue "Create" button

Figure 17: (go back ⬆️)

Figure 18: (go back ⬆️)

3. Deploy new task revision

• Click on "Clusters" in the left nav
• Click on the "mlab-data-api" cluster (Fig. 19)
• In the "Services" tab, click on the "mlab-data-api-service" (Fig. 20)
• Click the blue "Update" button (Fig. 21)
• In the "Task Definition" section, select the latest revision (Fig. 22)
• Click "Skip to review"
• Click "Update service"

Figure 19: (go back ⬆️)

Figure 20: (go back ⬆️)

Figure 21: (go back ⬆️)

Figure 22: (go back ⬆️)